pgsql: Prevent path traversal in pg_basebackup and pg_rewind

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Noah Misch <[email protected]>
To: [email protected]
Subject: pgsql: Prevent path traversal in pg_basebackup and pg_rewind
Date: Mon, 11 May 2026 12:19:37 +0000
Message-ID: <[email protected]> (raw)

Prevent path traversal in pg_basebackup and pg_rewind

pg_rewind and pg_basebackup could be fed paths from rogue endpoints that
could overwrite the contents of the client when received, achieving path
traversal.

There were two areas in the tree that were sensitive to this problem:
- pg_basebackup, through the astreamer code, where no validation was
performed before building an output path when streaming tar data.  This
is an issue in v15 and newer versions.
- pg_rewind file operations for paths received through libpq, for all
the stable branches supported.

In order to address this problem, this commit adds a helper function in
path.c, that reuses path_is_relative_and_below_cwd() after applying
canonicalize_path().  This can be used to validate the paths received
from a connection point.  A path is considered invalid if any of the two
following conditions is satisfied:
- The path is absolute.
- The path includes a direct parent-directory reference.

Reported-by: XlabAI Team of Tencent Xuanwu Lab
Reported-by: Valery Gubanov <[email protected]>
Author: Michael Paquier <[email protected]>
Reviewed-by: Amit Kapila <[email protected]>
Backpatch-through: 14
Security: CVE-2026-6475

Branch
------
REL_18_STABLE

Details
-------
https://git.postgresql.org/pg/commitdiff/6a67c540a6dc4e391560789dd29cdbb246e659e0
Author: Michael Paquier <[email protected]>

Modified Files
--------------
src/bin/pg_rewind/file_ops.c  | 23 +++++++++++++++++++++++
src/fe_utils/astreamer_file.c | 12 ++++++++++++
src/fe_utils/astreamer_tar.c  |  4 ++++
src/include/port.h            |  1 +
src/port/path.c               | 17 +++++++++++++++++
5 files changed, 57 insertions(+)

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected], [email protected]
  Subject: Re: pgsql: Prevent path traversal in pg_basebackup and pg_rewind
  In-Reply-To: <[email protected]>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox